Credentials, and more precisely cryptographic credentials, are commonly known and used in cryptography-based applications, e.g. cryptographically secured exchange of data between computer systems or devices, to certify information. A credential holder, who is requested to provide information, may provide the requested information and use a credential to prove that the provided information is correct and trustable. A cryptographic credential is essentially a certificate generated via a cryptographic process. Such a credential is issued by a credential issuing entity to a credential holder after the information to be certified by the credential has been appropriately verified. The information in question is cryptographically encoded in the credential to certify the correctness of said information. In particular, the information to be certified may be represented by some value or function which is then encoded in the credential via a cryptographic algorithm. When requested by a verifying entity to provide certain information and to prove the same, the credential holder may provide the requested information and use a credential, in which this information is encoded, to make a suitable proof to the verifying entity, via various cryptographic proof protocols.
Sometimes such credentials need to be revoked, e.g. when the secret cryptographic keys to which the credential is bound have been exposed or the credential holder lost the right to possess the credential.
Revocation tasks are carried out by revocation authorities. The revocation authority creates and maintains a revocation list with revocation statuses of credentials. This list may be a whitelists or a blacklist, listing all the credentials which are valid or invalid, respectively. A credential becomes invalid by revoking the same. The revocation is performed through a revocation handle, i.e. a dedicated unique identifier that the issuing entity embeds in each issued credential. When a credential is to be revoked, a request for revocation must be provided to the revocation authority. Upon receiving a valid request for revocation of a credential, the revocation authority deletes or adds the respective credential from or to the revocation list, depending on whether it is a whitelists or a blacklist.
In order to prove that a credential used for certifying information is valid, i.e. not revoked, membership or non-membership of the credential's revocation handle in the revocation authority's whitelists or blacklist has to be proven.